IT networks are handling more data than ever before: we’re currently creating roughly 2.5 quintillion bytes of data every day, according to the latest Data Never Sleeps research from Domo.This data is also being accessed by more people, more devices, and from more locations than ever before, making it nearly impossible for organizations to keep up with the number of security professionals they need  to safeguard the ever-expanding oceans of data being generated. One area where this mismatch is particularly challenging is authentication and access log analysis, a critical task for finding and responding to accounts that have been compromised.

According to Verizon’s 2017 Data Breach Investigations report, 81% of data breaches involve weak or stolen credentials, and 32% of those surveyed at the 2017 Black Hat conference said accessing privileged accounts was their number one choice for the easiest and fastest way to hack systems. This means that failing to carefully monitor account authentication and access puts a network and its data clearly in the crosshairs of cybercriminals. Worse, the longer a compromised account goes unnoticed, the harder the breach is to isolate and eradicate, reports IBM's Cost of Data Breach study.

It’s critical that potential compromises are uncovered quickly and appropriate action taken. Automating the process of account monitoring is an effective solution to this problem because relying on manual, time consuming reviews and infrequent or ad-hoc audits is no longer adequate, given the dynamic nature and span of modern networks. Here are three steps for getting started:

Step 1: Create a comprehensive account audit trail. This will result in more in-depth analysis and reporting of authentication and access events, which puts the security team on the front foot in the race to spot unwanted access. Configured correctly, access and authentication systems can produce a wealth of information that allow behavior and context analysis tools to determine if accounts are under threat of compromise, or are likely to have become compromised.

Step 2: Lay the groundwork for an instant response. The same data in the audit trail can also be used to generate a more appropriate response since a blunt block/allow reaction is nowhere near subtle enough in our constantly connected world. Instant responses allow genuine users and tasks to proceed with little interruption, while inappropriate activity has to be halted before any real damage can be done.

Step 3: Improve detection and response times with automation. This will also reduce the security team’s workload. In addition, identity assurance solutions can greatly reduce the risks of account compromise; consolidating and enriching in-house generated logs with third-party threat intelligence will help further finesse detection and response activities such as blocking access from blacklisted IP addresses.

Responding to Account Compromise
The response should be based on risk assessments and data classification policies, requiring users to provide additional authentication if the situation warrants it, or a step-up authentication challenge when trying to access resources through an unauthorized proxy, for example. Adapting responses to the exact nature and context of suspicious events, instead of always having to immediately lockout a user or terminate a session allows a network to accommodate genuine user and system activities, while containing, mitigating, and eradicating the real threats.

Having this capability not only stops attempts to compromise accounts but also provides insights into how existing security controls and policies can be refined, strengthened and improved, based on real events. For example, you can assess whether more security awareness training is needed for employees travelling overseas, if you need to roll out two-factor authentication to other areas of the enterprise, or address any other unforeseen scenario that has been detected.

A critical aspect of securing data is knowing who is accessing it, which puts authentication at the heart of any security policy. Two-factor authentication is becoming essential to safeguard important data, but so too is the ability to quickly detect and respond to activities that may indicate someone is trying to by-pass or abuse account authentication. The average time from breach to detection is 146 days, which is just not good enough, given the amount of data even small companies are responsible for, and the number of people and devices accessing the data. Security teams need to be supported by automated identity management solutions to ensure the level of security matches the volume and value of the data they’re entrusted with.

Learn how to protect against data breaches with Okta

Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security, and has written numerous technical articles for leading IT publications. He has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS). Mike has a passion for making IT security best practices easier to understand and achievable. His website www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data, and of following good practices.